Results of Lookup212.252.143.161 is listedThis IP address was detected and

1. Results of Lookup
2. 212.252.143.161 is listed
3.  
4. This IP address was detected and listed 4 times in the past 28 days, and 0 times in the past 24 hours. The most recent detection was at Mon Dec 4 17:05:00 2017 UTC +/- 5 minutes
5.  
6. This IP address is infected with, or is NATting for a machine infected with a botnet, usually associated with the Avalanche malware network. This infection will probably be of the Dofoil or Gamarue malware (or one of the other Anti-Virus vendor aliases, such as: Andromeda, Smoke Loader, Win3/Dofoil, W32/Zurgop.BK!tr.dldr, Gamarue and many others
7.  
8. This is one of the most dangerous bot networks ever to be discovered, every node is fully capable of participating in identity theft, keystroke logging, disk erasure, camera capture, or encrypting files and holding them for ransom (for example the recent Wannacry debacle).
9.  
10. Gamarue is a downloader (also known as smoke loader/dofoil) largely used in the Andromeda and Avalanche botnets.
11.  
12. Andromeda is a very large scale malware delivery platform, using Gamarue (and other downloaders) to download malicious software to infected machines. At it's peak (Nov/Dec 2017) had more than 5 million infected machines.
13.  
14. Avalanche is a large-scale content and management platform also designed for the delivery of bullet-proof botnets, and used Andromeda to bootstrap. Avalanche's scale and scope spanned victims from 180 countries, over 800,000 domains in 60+ top-level domains (TLD), more than one million phishing and spam e-mails, 500,000 infected machines worldwide, and 130TB of captured and analyzed data.
15.  
16. There was a coordinated effort from international law enforcement agencies that included Germany's Public Prosecutor's Office Verden and the Lüneburg Police, the U.S. Attorney Office for the Western District of Pennsylvania, Department of Justice and the Federal Bureau of Investigation (FBI), Europol, and Eurojust as well as partners in ShadowServer, resulted in one of the most successful anti-cybercrime operations in recent years (late 2016).
17.  
18. An even more successful take down of Andromeda took place in Nov 29/2017.
19.  
20. Despite the above, it MUST NOT be assumed that since the network has been disabled that this listing no longer matters. As long as the malware remains present on your machine, there is a strong possibility that this infection may become re-enabled. Therefore, all effort should be made to find and eradicate it.
21.  
22. This was detected by a TCP connection from "212.252.143.161" on port "n/a" going to IP address "184.105.192.2" (the sinkhole) on port "443".
23.  
24. The botnet command and control domain for this connection was "3ye1qp37jba.ru".
25.  
26. This detection corresponds to a connection at Mon Dec 4 17:09:51 2017 UTC (this timestamp is believed accurate to within one second).
27.  
28. Detection Information Summary
29. Destination IP 184.105.192.2
30. Destination port 443
31. Source IP 212.252.143.161
32. Source port n/a
33. C&C name/domain 3ye1qp37jba.ru
34. Protocol TCP
35. Time Mon Dec 4 17:09:51 2017 UTC
36. Behind a NAT, you should be able to find the infected machine by looking for attempted connections to IP address "184.105.192.2" or host name "3ye1qp37jba.ru" on any port with a network sniffer such as Wireshark. Equivalently, you can examine your DNS server or proxy server logs to references to "184.105.192.2" or "3ye1qp37jba.ru". See Advanced Techniques for more detail on how to use Wireshark - ignore the references to port 25/SMTP traffic - the identifying activity is NOT on port 25.
37.  
38. Please note that some of the above quoted information may be empty ("") or "na" or "-". In those cases, the feed has declined or is unable to give us that information. Hopefully enough information will be present to allow you to pinpoint the connections. If not, the destination ports to check are usually port 80, 8080, 443 or high ports (around 16000) outbound from your network. Most of these infections make very large numbers of connections; they should stand out.
39.  
40. These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.
41.  
42. You will need to find and eradicate the infection before delisting the IP address.
43.  
44. Norton Power Eraser is a free tool and doesn't require installation. It just needs to be downloaded and run. One of our team has tested the tool with Zeus, Ice-X, Citadel, ZeroAccess and Cutwail. It was able to detect and clean up the system in each case. It probably works with many other infections.
45.  
46. If Microsoft Windows Defender is available to you, use it!
47.  
48. We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP address[es] given above. These IP address[es] are of sinkholes operated by malware researchers. In other words, they are "sensors" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, will still be able to connect to command and control servers under the botnet owner's control, and they will STILL be stealing your users/customers personal information, including banking information to the criminal bot operators.
49.  
50. If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.
51.  
52. We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.
53.  
54. Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.
55.  
56. For more information on this botnet, and mitigation strategies, please see: